On 29/10/14 09:03, Gayathri Manoj wrote:
> Hi Matt,
>
> Thanks Matt.
>
> Please let me know RSA_public_decypt() is FIPS complaint in later
> version (openssl 1.0.x).
>
> Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
> any issues in FIPS mode. To address some of the CVE, I have upgraded
> openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
> decryption issue.
I am slightly surprised that you are using RSA_public_decrypt in FIPS
mode without issues. I just checked the source code:
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned
char *to,
RSA *rsa, int padding)
{
#ifdef OPENSSL_FIPS
if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
{
RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
return 0;
}
#endif
return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
}
with the flag RSA_FLAG_NON_FIPS_ALLOW defined as follows:
/* If this flag is set the operations normally disabled in FIPS mode are
* permitted it is then the applications responsibility to ensure that the
* usage is compliant.
*/
#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
As you can see from the above if fips mode is set you should not be able
to use RSA_public_decrypt *unless* you have also set
RSA_FLAG_NON_FIPS_ALLOW...in which case it is up to you to ensure
compliance.
The above is the code from 0.9.8...similar code exists for later
versions, i.e. you should not be able to call this function in FIPS mode.
> To address some of the CVE, I have upgraded
> openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
> decryption issue.
Sorry, I don't understand this. What decryption issue?
>
> As per you explanation, to make the system FIPS complaint in 0.9.8za, I
> have to
> 1. replace the RSA_public_decypt() with EVP_verify()
> EVP_VerifyInit(), EVP_VerifyUpdate() and
> EVP_VerifyFinal()
> EVP_VerifyUpdate() - A buffer
> with the data to be verified. Same data in EVP_signUpdate()
> EVP_VerifyFinal - same
> signature which is used for EVP_SignFinal()
> 2. Needs to make similar changes in signing part using EVP_Sign*()
> EVP_SignInit(), EVP_SignUpdate() and
> EVP_SignFinal()
> EVP_SignUpdate() - should contain
> the data to be signed
> EVP_SignFinal - should contain a
> buffer to receive the signature
>
That would be the recommended approach, yes. Although you didn't answer
my question about what signature scheme is in use E.g. RSASSA-PKCS1-v1.5
or RSASSA-PSS. If your existing signing code is not using a FIPS
compliant and openssl supported signature scheme then the above will not
work for verifying existing signatures (which may or may not be a
problem for you depending on the lifetime of these signatures in your
application).
> In 0.9.8 there is no other FIPS supported API for decryption.
>
Your terminology is confusing. We are not talking about decryption here.
We are talking about signing/verifying. Some of the underlying
primitives are the same, which is where RSA_public_decrypt comes in, but
talking about decryption confuses the issue...unless I have
misunderstood what you are asking me?
The recommended approach for doing signing/verifying in 0.9.8 is
EVP_Sign* and EVP_Verify*.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
